Cryptology ePrint Archive: Report 2009/509

Practical Key Recovery Attacks On Two McEliece Variants

Valerie Gauthier Umana and Gregor Leander

Abstract: The McEliece cryptosystem is a promising alternative to conventional public key encryption
systems like RSA and ECC. In particular, it is supposed to resist even attackers equipped with quantum
computers. Moreover, the encryption process requires only simple binary operations making it a good
candidate for low cost devices like RFID tags. However, McEliece's original scheme has the drawback
that the keys are very large. Two promising variants have been proposed to overcome this disadvantage.
The rst one is due to Berger et al. presented at AFRICACRYPT 2009 and the second is due to Barreto
and Misoczki presented at SAC 2009. In this paper we rst present a general attack framework and
apply it to both schemes subsequently. Our framework allows us to recover the private key for most
parameters proposed by the authors of both schemes within at most a few days on a single PC